I officially got notice today (5/26/2020) that I passed my OSCP exam. I am going to keep this light with a focus on study resources as there are many and better writeups on how to tackle the OSCP. It took me about a year and two test attempts, but I finally made it. This was the hardest singular exam I have ever taken as the breadth of knowledge required and my starting point made this quite a significant task. My boss provided the funds for me to purchase the course materials last summer (2019 – thanks Tavis!) and I studied/focused on the book material right out the gate…huge mistake. I let my lab time expire and barely touched it. At the time of expiration, I had popped a single low privilege shell using SQLMap (not even allowed on the test) and had 0 additional success prior to lab expiration. I knew I was no where near being ready, so I turned to forums and found folks were prepping by working with machines from Vulnhub and Hack The Box. Prior to my first attempt at the test (Feb 2020) I did purchase 15 days of lab time to see what I could do, and I had quite a bit of success. I attempted and failed the test in Feb 2020 due to time management – shocker! This is a common reason folks post for failing and I now wholly understand why. In April of 2020 I attempted a second time with a different strategy and came out on top!
I took a lot of guidance from this post: https://forum.hackthebox.eu/discussion/1730/a-script-kiddie-s-guide-to-passing-oscp-on-your-first-attempt
Here were the materials I really used to prep for the exam
- Read the book
- Attacked the lab (especially with the second block of time)
Watched the videos – sort of
- Probably could have gotten more value here
As many of the solved easy-medium ones as I could
- Requires the VIP subscription but this is like $120/year
VulnHub – OSCP-Like
Buffer Overflow Practice
- Watched all CTF Windows Easy
- Watched most CTF Windows Medium
- These are amazing!!!
My Study Strategy
I really took to heart the blog post from LRNZO above and followed the guidance. For some reason, it really resonated with me on reading, so I settled on that for my strategy. I dove in and heftily focused on OSCP like machines across HTB and VulnHub. I spent very little time using or learning Metasploit – just the basic commands needed to attempt and exploit or to use the multi-handler. My intention was to conquer all of the machines without Metasploit or at least attempt them without having to use it. In retrospect, I think I should have spent a little more time here and learned the tooling better as I do think one of the test machines I ran into specifically was potentially meant to be cracked with MS and I didn’t end up getting that one. I really got the most value from the retired HTB machines and the writeups. I would attempt these machines myself and then read the writeups post to see if there were things I could have done differently. It is always pretty humbling to see how bad you struggle doing something and then watch something like an IPPSec video on it and he would show you 3-4 different ways to accomplish. The best/craziest part about learning all of this really comes down to the Einstein quote – “The more I learn, the more I realize how much I don’t know”….so very true. Here are where Rana Khalil’s writeups were awesome as well – I loved her approach on recon and how concise her writeups were.
Key element for sure – focus on the basics and recon, recon and then recon some more. Enumerate. Find the nooks and crannies until something presents itself. I cannot tell you how many machines I have solved now when I have given up all hope (almost) and then tried just one more thing…and then the lid blows off. This even happened during the test. I am coming to find that mindset is key and mental endurance (especially during the test) is a necessity.
Test Take #1: Wow did I fail on this the first time around. I read a lot of blog posts on how to tackle the test. I decided to go with the early morning start – get the test rolling as I would my normal work day, hit the BOF right out the gate, plan to have 60-65 pts by dinner, take a break to hang with the family, crack the rest of the machines by midnight and get a good night’s sleep with a score of 100 – heh, that didn’t happen. Rather, I hit a snag with the BOF, spent around for 2-3 extra hours flummoxed there (something silly) started reconning the other machines late, ended up in a mental tailspin and completely defeated myself by late eve. I think I may still have only had the BOF (25 pts) at midnight and that was largely due to my approach, my frustration and my deviation from the game plan. I kept looking for the quick easy win rather than working the recon and making sure I was not missing something. I had a printed-out playbook on what to do and how to recon based on service enumeration which went completely out the window as I sought homerun after homerun. You have to go into the test with a game plan and STICK TO IT. In the wee hours of the morning, I was exhausted and mentally defeated. If I would have submitted the report, I think I would have been around 55 pts when the clock ran out.
Test Take #2: The approach on this attempt was way different. First, a lot of the blog posts suggest doing to the BOF right out the gate and getting it out of the way – I say nay to that. Rather, make sure you are comfortable as you can be with them and do the BOF when your brain is fried. That is why you practice anything – so you develop the muscle memory and you can execute it in your sleep. I took the opposite approach as to when to start this time as well – rather than starting with my normal day and then spending my exhausted time in front of the keyboard when it was dark outside and I am normally asleep, I started my test at 6PM so that I would spend my truly exhausted time during the day when the sun was out and I would normally be working. 6AM came around the next morning, I was still chugging, I put on a pot of coffee and I pulled a true all-nighter never actually having my head hit the pillow during the test. I only ended up with 70pts (I was oh so close on another machine right as the clock ticked off) but the point is that I was actually still going strong(ish) at the end.
For this, you have to do what you think will be right for you, however, for me it came down to figuring out how I was going to be able to stay positive enough to defeat Debbie Downer when she came knocking. Fatigue is a mighty foe and not to be trifled with.
I’ve been hit up a few times now on folks looking to start their OSCP/Pentesting/Cybersecurity journey asking me how to get started. I would say that the OSCP is maybe not so much where to start your cybersecurity trek, however, if you are looking to specifically to get started with pentesting and learning this tooling then the most important thing to understand is that it is totally OK to fail…but not too fast. You need to feel the pain. Don’t hit the walkthroughs, blogs or forums too fast when working a machine, but don’t wait forever either. Make sure you are truly stuck and then go and get the answer you need to move onto the next step. The whole “Try Harder” crud is garbage (IMO) – smashing your face into the same wall over and over does not teach you anything. Do your best to make sure you are truly at a dead stop and then go get the answer you need to move to the next step. Make sure you understand what it took to overcome that block and tuck it away in your utility belt for next time (aka learning) – this is especially true early on. If you could already solve all of these machines and you had infinite time then “Try Harder” might apply, however, thinking back to math in HS and college there was a reason the odd numbered questions had their answers in the back of the book….
These are ones I just want to call out as coming in very handy in prep for the test. There is so much to learn and so many resources out there that provide invaluable insight and capabilities it would prove impossible to list them all. The most important resource is most likely your favorite search engine.
Pentestmonkey Reverse Shell Cheat Sheet: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
I do have to add a special footnote here and say thanks to my wife. She watched the kids while I studied and had to tackle them fully on her own the full day of the test. With a 3 and 7-year-old at home, no small feat and this was in the midst of shelter at home. Thanks Erin!